Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

03f80b7dba...c5.exe

windows7-x64

7

03f80b7dba...c5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03f80b7dba1209d54298ffee6dd7d6c5.exe

  • Size

    387KB

  • MD5

    03f80b7dba1209d54298ffee6dd7d6c5

  • SHA1

    2dd649fcbafa9ef687995150e0f29592e5109320

  • SHA256

    bd801ec767786092b2b82051c673a9779cc3698b8b15b10146b90f4928d9f9a8

  • SHA512

    25f3520ff60ee0616933f1afef7432c02fc635f4f2f5ee847b4dbbaabddfa0095fc5d58253b56eb3b19cc3cf71f655b76284c712f405b70a311225ac0cc1f589

  • SSDEEP

    6144:vrQ7XBrQ7XBrQ7XlrQ7XzdyctYrT7/PsW8EZd40seWs9Zxip:vrEBrEBrElrEzbtYLPsfEHlWs9ap

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
        "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4288
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1496
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B5A.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
              "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:3752
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C15.bat
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3512
                • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
                  "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of WriteProcessMemory
                  PID:1048
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C83.bat
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1860
                    • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
                      "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
                      8⤵
                      • Executes dropped EXE
                      PID:2188
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 408
                        9⤵
                        • Program crash
                        PID:3700
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4680
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1524
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4476
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3544
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2188 -ip 2188
            1⤵
              PID:392

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a7B5A.bat
              Filesize

              530B

              MD5

              5934de34f04d1e7b239836827ee67306

              SHA1

              7e0f363dedd99f4f7acc91cef92f2fe9deb57c62

              SHA256

              bd5093012a753906c2e0c1716deb23c36aa0922d75f1b3ea2352667317d224e7

              SHA512

              0756e1eb56b211be9e56b5da3ba0808ee7a9fdbf1f88720ac2cdfd9cd76948ee3bf1edbc8fa5d8b8eaedf78a4676a64d92993a1daed735d619e315087d54e807

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a7C15.bat
              Filesize

              530B

              MD5

              916dd5451f893cc2002ee0476f025294

              SHA1

              f6445c14b62132e52aea31f09e8eeaf72a9c353e

              SHA256

              b116f084f8c8e8556f1b55ef2e0edd57c9b61a929137c3af5f42eb41f045d6fa

              SHA512

              db362a09540b2d20663cf6381b09eb6676db77e4a9ae62e38b9a7d0d55c2fdb2cc14046bbb37132571f34d8d7a55feeb1fffc1a374e2876e9ee9ace9b77366f7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a7C83.bat
              Filesize

              530B

              MD5

              6787ea5367b49b571d11806557506031

              SHA1

              95e9fa0b4f352a1b38372dabdf50a41d8d47ba0d

              SHA256

              cdf44ecddf85244d3b065907665f01fe7bf6b61401c13f1935e9ebdc51ddf5fa

              SHA512

              72cb9d6b43020f4ae76be2044556c6be79c88068bc763cd047489a7476df8bb9055318e71545085e5e5f202fbd9dd7c6e502ba485da9b607d07839f25bb2c747

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe
              Filesize

              339KB

              MD5

              e290e3f05888c41b183b1b0ccf5a78e8

              SHA1

              fe1959dddfce6f7e87234165eea8d6eff33fc513

              SHA256

              7a19b98cbf1996794029692a052528cf14fc63363a1cd82b8e97c50a346ed83e

              SHA512

              039f807436ffe44334fb4ab97d32dafce031b628bf849c65b43a2735d79cf75b034ac5cf16c9ed106c2f699677aed8ad4ea3df6a0b6faecaf5f9b6aa8475f9ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe
              Filesize

              291KB

              MD5

              db56329ce568e2d9a024fb904725e037

              SHA1

              7401f6ec77dc4f8b7e4ed0b18098a25288484a01

              SHA256

              4176a9e93eab3c08ca0d833521d619a36b70284b2fa0fbcb371305976cc2dbe6

              SHA512

              b618dc53e84db8e6d55c7986afc9574d462a833d0a411b0233b36f8e76082e3b1eb769f79d60babeab6650b3e28c3ad92485fe5b3123ce2b43fd381c9d000ab0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe
              Filesize

              243KB

              MD5

              b7ee473ea670df0f7ca4370ab87b8d4a

              SHA1

              f04f50f4ed202fac2d4bdd4672ed6a2389695a24

              SHA256

              a7489a46923034f0088dfaf200ccd66674438a091a99b1039bd5619e8e7f8e60

              SHA512

              ce1219a65e7a268150cfde043f693eb9c8173f78ef5aec67577517c57d80af665e013071b4f470c4ad233cbe7818d8a10678955344320d0f8286ecfb329e3e9d

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              48KB

              MD5

              88fedeec237fd85692523e1fc470a43f

              SHA1

              fe93b1c009682a49a48ed40f1f1e31ac026b16d9

              SHA256

              541cf3e519b509f16eb92b24da4bdb73af9873d5df9ceaa3400590de350d1858

              SHA512

              af1e1aa3c93166c5ab23243fed131415203f77ec4f34474522b35e646dcadd3ab5ca6243ef9eaa8236a071d4a69593c3f79e9297fab51c0a75f3093ce9ae08e5

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini
              Filesize

              9B

              MD5

              f0a92d08416cb87dc153ea387c708411

              SHA1

              37c1e98506bdb3d5ea2e7fcb62bb91c9bf5b4fb1

              SHA256

              478ccf01e44e5bd446e37007b199568a73c0452e34ce917945fd820710107464

              SHA512

              1dd7d96307c01abb2985ed1d39617787563174f5b90df9786106259ea12a08bdf39662c440bdc4b3ac4f6bb499a4aaf058ed18e06ef72be5f82f01b7150ec9a5

              Download Submit

            • memory/1048-27-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/1048-23-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/2188-31-0x0000000000400000-0x000000000046A000-memory.dmp

              Filesize

              424KB

              Download

            • memory/3092-0-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3092-10-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3752-19-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/3752-15-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/4680-11-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/4680-36-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/4680-3661-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/4680-8800-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download